A network security specialist for the state’s Department of Emergency Services told CT Examiner this week that his department was not sure which state employee records may have been left exposed when the Kronos Private Cloud suffered a ransomware attack last weekend, because the State of Connecticut doesn’t keep local copies of those records, and they are inaccessible at this point.
According to Travis Woodward, president of CSEA SEIU Local 2001, which represents 22,000 active and retired state employees, that shows the danger of the state’s shift to cloud-based services without proper controls and backup data in the event of a cyber attack.
The Kronos Private Cloud, which hosts a popular suite of human resources applications, as well as time-clock and payroll data, was the subject of a cyberattack last weekend that could take weeks to resolve.
The Department of Administrative Services will still be able to issue paychecks using its in-house program CoreCT to process payroll, but Warren Lundquist, a public protection IT architect with the Department of Emergency Services said he believed it was possible there were HR records scanned into the system that included state employees’ personnel, medical and worker’s compensation information.
“From a security standpoint, we really don’t know the complete picture of what data was in Kronos,” Lundquist said. “All of that is totally inaccessible at this point.”
Without a local backup of those records, employees won’t know what personal information could be accessed by the attackers, said Lundquist.
“In my case, I could lose weeks worth of time accounting, overtime information, requests for time off – all that sort of stuff that’s documented in your timesheet area,” Lundquist said.
Lundquist said that whatever information state employees enter into Kronos is imported into the state’s HR system Core-CT weekly or bi-weekly. Because Kronos is shut down, they now can’t access recent time clock data.
Department of Administrative Services spokeswoman Lora Rae Anderson said that the Ultimate Kronos Group (UKG) makes backups of the system and data, and that the status of those backups is being assessed.
According to Anderson, the state wasn’t aware of any state employee data exposed in the ransomware attack, but if data was exposed, she said it would be employee names, phone numbers and ID numbers.
Anderson confirmed that the state does not retain backup records of that data, but does have a “data dictionary” of all data stored in Kronos.
Woodward called the move to cloud-based Kronos a “brainstorm of some overhead managers up at Hartford” that was aimed at fixing a problem that didn’t exist.
“When it was announced, we thought it was an extra service that the state doesn’t really need – basically outsourcing time clock entries that our employees normally do by themselves anyway,” Woodward said. “It was marketed as a way to save a lot of money and keep better track of state employees, and it’s done the opposite – just created a lot of work for us.”
Anderson said that the state pays $1.65 million a year for four state agencies to use Kronos for time clock management – the Department of Corrections, Department of Children and Families, Department of Emergency Services and Public Protection and Department of Veterans Affairs.
According to Anderson, those departments have “unique workforce scheduling and time tracking needs” that can’t be met by the tools available in Core CT, like bidding for schedules and rotating schedules.
But without a local copy of the data, Lundquist explained, the state can’t supply Kronos with data to re-enter into the UKG application when it comes back online.
And according to Woodward, when time clock data has been moved CORE in the past, it has led to significant inaccuracies, which have taken a significant amount of time to resolve. That has led to several grievances from CSEA about employees being shorted on time, Woodward said, which is why the data kept with Kronos is crucial for keeping accurate records.
Lunquist voiced further concerns that the state hasn’t properly vetted other vendors providing cloud services to store its data – not just Kronos. He said that the state needs to spell out guaranteed backup and restoration times in its agreements, and maintain a local, encrypted copy of all data stored in a cloud.
“When you put it into the hands of the cloud provider, you don’t have custody of that data,” Lundquist said, “I think you really need to think about that with all systems that the state looks to put into the cloud or works with a cloud vendor going forward.”